Eight security tips from the HBGary Hack

Intimate details of the HBGary hack attack are now available, and they teach many lessons about how to protect your systems.

Thanks to Ars Technica and H-online.com, we now have intimate details of the Anonymous attack against security research company HBGary. There are no surprises in how the attacks where carried out, but we can draw many morals from the story, even if we've heard them time and time before.

Here's an executive summary of how the attack was carried out, and how you can defend against the same things happening to your systems.

1. Use Off-the-Shelf Software

HBGary Federal's Website ran a content management system (CMS) that was created especially for the company. There's a debate to be had as to whether off-the-shelf software is more secure that custom-made solutions.

On the one hand, exploits for off-the-shelf solutions are often published far and wide and, in the case of a zero-day exploit, can leave system administrators rushing to fix their systems as quickly as possible.

Commissioning custom software offers security via obscurity -- there isn't a body of knowledge about how to hack the system, and no source code to search through to find vulnerabilities. However, the system will need to be routinely audited for security -- a costly procedure but utterly necessary.

Had HBGary Federal gone for an off-the-shelf solution, it's arguable the first stage of the attack -- a simple SQL injection -- wouldn't have been possible. Most commercial CMS solutions are security audited at source, to avoid end-users having to do so, and are regularly patched when problems are found.

2. Patch Your Systems Regularly

Had HBGary Federal been using an off-the-shelf CMS, it might still have been vulnerable if the system wasn't regularly patched. So, assuming you're running an off-the-shelf system, patch your systems regularly -- both software and the underlying OS. If you haven't already, buy a support contract to make life significantly easier.

Patching a system can introduce problems, of course, but that's why you should be creating copies of your servers, where you can test the patches before rolling them out to your customer-facing systems. Virtualization offers a perfect method of doing this (especially if your original server runs in a virtualized instance), and you can even make use of cloud virtualization solutions to avoid the hassle of keeping a copy of your server locally.

Should the patch go wrong, virtualization lets you roll back to a working state. What more could you want?

3. Test For Really Obvious Holes

As mentioned, HBGary Federal's Website was hacked using an SQL injection attack (SQL being a type of database).

SQL injection involves a URL created by a hacker accessing data in the database underlying the Website. On most Websites this kind of attack is well-known and URLs are 'scrubbed' to ensure this can't happen, beyond and above official and necessary access. For whatever reason, HBGary Federal's site neglected to do this, and Anonymous was able to retrieve the username and password database from the site.

Wise-up on SQL injection techniques and give them a try on your systems (making sure not to use techniques that might involve data loss, of course). You should also learn all about cross-site scripting (XSS) attacks, if you haven't already.

4. Store Passwords Securely

With the username database now in their hands, Anonymous set about cracking it. They could have hit a brick wall but, again, poor security procedures made life easy for them. The HBGary Federal database stored passwords as simple MD5 hashes -- an unsophisticated form of encryption. This allowed Anonymous to use rainbow tables to uncover some passwords. Rainbow tables are 'ready made' databases of prehashed passwords. Put simply, the hashed password list is simply compared side-by-side with a rainbow table until a match is found.

Hashes can be made stronger by avoiding the use of MD5, which generates short password hashes that are relatively easy to crack, and are vulnerable to collision attacks. The government suggests everybody use the SHA-2 family of hashes, such as SHA-256 or SHA-512.

Additionally, or if MD5 just can't be avoided, the password should be iteratively hashed, which is to say, the hash is rehashed thousands of times. Known as key strengthening, this deliberately slows down the hash production, but also slows down attackers to the point of making attacks infeasible. Additionally, hashes can be salted, whereby random data is inserted into the hash to strengthen it. This makes rainbow attacks significantly more difficult, if not impossible.

5. Force Users to Create Complex Passwords

Anonymous was able to decode the passwords of two of HBGary's executive staff (Aaron Barr and Ted Vera). The passwords consisted of eight characters -- six lower-case letters and two numbers.

Had HBGary Federal's systems enforced more complicated passwords, it's less likely that Anonymous would have been able to uncover these passwords. Ideally, HBGary Federal's system should have enforced 10 or 12-character passwords, and insisted that lower and upper-case letters, numbers and symbols appear somewhere in the password.

6. Don't Reuse Passwords

Anonymous now had the username and password details of the executives, and found that the gentlemen concerned had reused the passwords in lots of other places: e-mail accounts, Twitter and a support server, in particular. Thus, Anonymous was able to access their e-mail.

The accounts on the support server were only those of ordinary users but the system wasn't patched against a vulnerability that allowed standard users to use privilege escalation to illicitly get superuser powers. The flaw was patched in November, but the hack took place three months later in February this year (see above -- regularly patch your systems!).

It might have been the case that HBGary admins thought they could trust their users. However, if that's the case, they obviously didn't anticipate a hack attack delivering users they couldn't trust in the slightest.

7. Delete Sensitive E-mails

One of the executives was the administrator of the entire e-mail system, so Anonymous now had control of all HBGary e-mail accounts. Using this they gained access to the account of another executive (Greg Hoglund), where they found an e-mail containing the root password for the rootkit.com site.

Delete any sensitive e-mails you receive, especially those containing passwords. Yes, it's nice to have this kind of info lingering around in your inbox in case you forget, but that's exactly the kind of laziness that hackers exploit.

8. Educate Against Social Engineering

Anonymous had a root password, but they couldn't access the rootkit.com server because it didn't allow root access from outside of the firewall -- a wise security move. They needed to be able to login as a standard user and then switch to root once logged in.

To get this, they used Greg Hoglund's e-mail account to make contact with somebody who had root access to the server. In an entertaining e-mail exchange, Anonymous first suggested they had problems logging in to the server, using their acquired knowledge of the root password to give themselves authority and credibility. Following this they manipulated the root admin into resetting Greg's password, and also revealing his username -- the two pieces of information they needed.

It was a classic example of social engineering. Clearly, the root admin shouldn't have sent the password or login name via e-mail, but "Greg" appeared to have started the trend by revealing the root password in his initial e-mail. This is a typical social engineering trick used to inspire confidence in the victim.

There are many books and articles out there on social engineering, and many consultants who will come in to teach staff all about it. Essentially, unless you're face to face with an individual, there's simply no way of knowing if the person you're speaking to is who they say they are.

Keir Thomas has been making known his opinion about computing matters since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com. His Twitter feed is @keirthomas.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityonline securityhackersfirewallsapplicationssecuritysoftwaredata protection

More about ApacheCMSRSAWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts